News Room

Network Box Feature Update

Network Box Feature Update

18/4/2008

Unsolicited NDRs

Over the past two weeks there has been a marked increase in the amount of Spam messages being sent as bounce messages which is commonly described as ‘back-scatter’. The core of the back-scatter problem is that it is trivial to forge the sender address of an email. In normal SMTP email, there are no protection mechanisms to authenticate the sender’s claimed email address.

Spammers don’t want to deal with back-scatter, and they don’t want complaints coming back, so they forge the sender address in the spams they send out. However, while there are no truly standard and universal mechanisms to authenticate a sender’s claimed email address, there are mechanisms to validate an email address. So, the simplest solution for the spammer is to forge the sender address so that it is not his own, but is still a valid email address. The spammer simply chooses a random valid email address and uses that. If that random valid email address happens to be one of our customer’s, the result is a huge amount of back-scatter (non-deliverables, vacation messages, etc) directed to the customer. This can dramatically increase the amount of email seen and as bounce messages are legitimate email, causes a problem with Anti-Spam solutions.

Legitimate NDRs

The actual messages that make up back-scatter are perfectly valid and conform to the Internet RFCs (standards). Most of these take the form of NDRs (Non-Delivery-Receipts). The Internet SMTP standards state that if a mail relay has already been accepted but cannot deliver an email message, it should raise an NDR back to the sender (to inform the sender of the problem) and then discard the message.

These NDRs are always in response to a message sent to the original, non-deliverable, recipient. They are never sent unsolicited. While there is no standard for the structure of the message, a common practice is to include a short non-delivery report, and then attach (or include) a fragment of the original non-deliverable message. To stop NDRs being raised for NDRs, the envelope sender for NDRs is always the ‘null’ sender (‘<>’).

The Network Box as_bounces Protection

The key to controlling back-scatter is differentiating the legitimate NDRs — and allowing them through — from undesirable backscatter which should be blocked. The key to the solution is discovering if the original message, now reported as undeliverable, was actually sent out by the customer. So Network Box has created the ‘as_bounces’ protection. The as bounces solution provides a sophisticated mechanism for digitally signing all outbound messages (including signing on behalf of a group of Network Boxes). This solution also provides a mechanism whereby it can scan NDRs for digital signatures and specific relay host entries, looking for evidence that the original message was outbound. Should this be found, as bounces can permit the NDR through. Should it not be found, the NDR can be marked as spam and quarantined on the Network Box in the usual fashion.

If you want this feature to be enabled on your Network Box please open a ticket and the support team will ensure it is implemented.

Network Box has 12 Security Operation Centres. They work round the clock to monitor network conditions across the globe. Together with PUSH Update technology, while network security level is greatly improved, the workload of our IT department is largely reduced. What's more, the Network Box solution is reasonably priced. The cost is far lower than additional manpower dedicated to monitoring.